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- Pocket PC/Windows Mobile Security Software 

- PDA Security Research and Testing 
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Introduction 

A Review of Pocket PC Abuses 

ARM Review (see references for more info) 

Information Disclosure Bugs 

Pocket PC Portal Attack 

Miscellaneous Attacks (the catch all) 

Local Exploits 

Remote Exploits 
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Ratter - DUST Virus 

- PoC Released July 2004 

- KDataStruct redefined previous work 

- http://www.informit.com/articles/article. asp?p=337069&rl=l 

Seth Fogie - Pocket PC Abuse - Shellcode, Keylogger, 
Buffer Overflow, etc. 

- BlackHat USA 2004 and Defcon 12 

- http://www.airscanner.com/pubs/BlackHat2004.pdf 



San (xfocus.org) - Hacking Windows CE 

- Hack in the Box 2005 

- http://www.packetstormsecurity.org/hitb05/TT-San-Hacking- 
Windows-CE.ppt 
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MM 














Review ftrifinite 



Collin Mulliner — Exploiting Pocket PC 

- What the Hack 2005, Defconl4 

- TMail Exploit 

- http://www.mulliner.org/pocketpc/ 

Tim Hurman - Exploring Windows CE Shellcode 

- Clear cache concept and in depth shellcode discussion 

- http://www.pentest.co.uk/documents/exploringwce/explori 
ng_wce_shellcode.html 



Kevin Finisterre - Bluetooth Exploits on PDA 

- http://www.digitalmunition.com/bluetooth.html 
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Can I find at least 99 security problems in 
Windows Mobile programs? 

- Look for remote attacks, local overflows, 
password protection, testing encryption & 
protection programs, indirect issues (PDA 
or Web), DoS 

This is the result of that project 



PC 
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Lack of policy for BYO-PDA/Smartphone users 
-Windows Mobile users are 'unchecked' 

Security risks are not taken seriously, 
understood, or overlooked 

Multi-user Debate 

-The issue isn't multi-user... it is the mobility 

24% of devices are lost/stolen 

- Access to sensitive data on the PDA 
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Previously (WM2003-)... Microsoft Embedded VC++ 

- Relatively simple and easy to use (File - Open - Exe) 

- Live debugging, memory & register changes, breakpoints 

- FREE 

- No disassembler, crashes on system DLL functions 

Now... Visual Studio 2005 Hack Job 

- Create & build blank console application 

- Manually remove exe and all debugging information (pdb 
files) 

- Copy in target exe and trick debugger into using new exe 

- Still no disassembler... 

-$$$$ 
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Tools - IDA w/ WCE Debugger 



IDA Pro w/ WCE Debugger 

- Code, register, memory, & DLL access 

- Debugging with disassembly (IDA Style) 

- Memory manipulation 

- Doesn't crash on ROM DLL access 

- $400 + $100 



Windows Mobile Phone/Smartphone 

- IDA doesn't always work (per device?) 

- Access Denied: set the key '00001001' to dword:l in 

HKLM\Security\Policies\Policies 
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Registers 

- R0-R3 used directly during function calls 

- R14 (SP) // R15 (PC) 

Condition Flags 

- N(neg) Z(zero/equal) C(carry) V(overflow) 
Opcodes 

- MOV RO, RO // BL // BNE // MOVS 

Memory & System Issues 



http://wiki.4hv.Org/index.php/lnstruction_set:_ARM 
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Plaintext Passwords 



Verichat - Chat program 
IM+PPC - Chat program 
Agile - Chat program 
File Transfer Anywhere 
NeoFTP 
Thunderhawk 
RemoteKeyboard 
imov Basic Messenger 
Funk WEP Key (driver issue) 




El- 
El- 



PHM 

Petfafm 

TranCreative 



m Stat 
+ 16) System 
+ life HKEY LOCAL MACHINE 
16) HKEY USERS 



Name 



DEtE 



»5] PassCode nypass 

.D] Remotelp Add ress [00000000 ) 



Edit View Tools- & fH 
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Ultra Edit -3 2 - [D:\PocketPC\crackingUttacks\_ Information disc Ids ure\Protected vs Authe... |- D 



File Edit Search Project View Format Column Macro Advanced Window Help 



□ g? c? b a a 4 



lot 
on 



A §a 



ProjectM aster. pws x 



OOOOOOOOh 
OOOOOOlOh 
00000020h 
00000030h 
OOOOOOlOh 
OOOOOOSOh 

ooooooeoh 

00000070h 
OOOOOOSOh 
00000090h 
OOOOOOaOh 
OOOOOObOh 
OOOOOOcOh 
OOOOOOdOh 
OOOOOOeOh 
OOOOOOfOh 
OOOOOlOOh 
OOOOOllOh 
00000120h 



FF FE 
61 00 



37 
63 
65 



00 
00 
00 



66 00 
34 00 

37 00 

38 00 
FF FE 
73 00 
FF FE 

73 00 
6F 00 
FF 16 
20 00 

74 00 
FF 



FF 10 30 

62 00 35 
64 00 FF 
38 00 66 

61 00 65 
34 00 61 

36 00 35 

63 00 30 

37 00 33 
FF 08 68 
73 00 FF 
FF 15 57 
20 00 79 

62 00 62 
57 00 68 
79 00 6F 
20 00 4E 



00 31 00 
00 31 00 
FE FF 10 
00 62 00 
00 61 00 
00 66 00 
00 61 00 
00 63 00 
00 39 00 
00 69 00 
FE FF 04 
00 68 00 
00 6F 00 
00 69 00 
00 61 00 
00 75 00 
00 61 00 



30 00 

65 00 

37 00 

38 00 
FF FE 

66 00 

31 00 
63 00 
65 00 
6E 00 
75 00 
61 00 
75 00 
65 00 
74 00 
72 00 
6D 00 



3 2 00' 

64 00 
63 00 

37 00 
FF 10 
63 00 

65 00 

38 00 
61 00 
74 00 

73 00 

74 00 

72 00 

73 00, 
2 00 
20 00 
65 00 




Pr elect Master 






T 



Yoi.r Login Name i& : 

seth 

Your Login Password is : 

rnypass 






|ltt|l|2|3|4|5|6|7|S|9|0|-|-| + : 



Tab | q | w | e | r | t | y | u | i I o | p | [ | ] 



CAP | a |s |cl|f Mh|j | k | I | : | ' | 



S 00 68 00 6D 00 6F 00 6F 00 



Shift |z|x|c|v|b|n|m| r .|/|<-> 



FF FE FF 03 74 00 6F 00 6D 00| Ctl | au | ' | \ | 



IctLl 



14 IHH- 



: 



■r 



or Help, press Fl Pos: 111H, 273, CO 



U-DOS 



Mod: 7/12/2005 4: 10:28PM Bytes Sel: 16 



INS 










Plaintext Over Network 



Abidia Wireless - Ebay monitoring for MANY PDA's 

- Password stored in encrypted file (good!) 

- Decrypted during execution -> password stored in memory (bad) 

- URL to Abidia is plaintext and includes password 

- Ohwait...URListoABIDIA!??? 

- Proxy based brute force password cracking via Abidia? 

myAuctions - Ebay Monitoring 

- POST 
/login/login_res.asp?emvef=&%23191;&emv_ref=&emv_id=&emv_s 
earchuser=&emvjjserid=seth&emvpass=tester&emvsid=wk8117Q7 
3l854485e8 



O-Anywhere - Overstock monitoring (Palm/WM) 
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1 


Plaintext via Deb 


»ug 


^ 


1 IDA View 


ir-B 




em 


§)' 




' Proj 


iect_Master.exe :0017807A DCB 









A| 


3IS1 k . 


" Proj 
' Proj 


iect_liaster.exe :0017807B DCB 
ject_Master.exe :0017807C DCB 



0x6D ; 


; m 




■ • 






' Proj 


iect_Master.exe :0017807D DCB 













" Proj 


iect_Master.exe :0017807E DCB 


0x79 ; 


; y 








' Proj 


ject_Master.exe :0017807F DCB 













' Proj 


iect_Master.exe: 00178080 DCB 


0x70 ; 


; p 








" Proj 


iect_Master.exe: 00178081 DCB 













' Proj 


ject_Master.exe: 00178082 DCB 


0x61 ; 


; 3 








' Proj 


iect_Master.exe: 00178083 DCB 













" Proj 


iect_Master.exe: 00178084 DCB 


0x73 ; 


; s 








' Proj 


iect_Master.exe: 00178085 DCB 













' Proj 


iect_Master.exe: 00178086 DCB 


0x73 ; 


; s 








Project_Master.exe: 0B178087 DCB 









?L 










< 










< 













File Hack Bypass 




'? UltraEdit-32 [D:\PockfitPC\cracking\Attacks\_lnformation disc Ids ure\+ + + passwordmast... (T]|n||X 



File Edit Search Project View Format Column Macro Advanced Window Help 



♦ d c* ct # a 



W; 



101- 
Oil 



X « 



launch 



111111. pms 222222. pms 



X 



OOOOOOOOh 
OOOOOOlOh 
00000020h 
00000030h 
00000040h 
OOOOOOSOh 

ooooooeoh 

00000070h 
OOOOOOSOh 
00000090h 
OOOOOOaOh 
OOOOOObOh 
OOOOOOcOh 



03 00 00 00 
63 00 62 00 
61 00 65 00 
66 00 38 00 
66 00 61 00 



FF FE FF 20 37 00 63 00 61 00 35 00 

31 00 33 00 31 00 63 00 63 00 61 00 

61 00 66 00 62 00 63 00 62 00 32 00 

63 00 61 00 37 00 39 00 38 00 37 00 

66 00 31 00 00 00 60 40 FF FE FF 10 




FF FE FF 10 

35 00 32 00 

31 00 61 00 

65 00 64 00 

34 00 38 00 

3 6 00 65 00 



61 00 62 00 61 00 31 00 65 00 64 00 
37 00 37 00 35 00 38 00 34 00 38 00 
FF FE FF 10 61 00 62 00 61 00 31 00 
35 00 32 00 37 00 37 00 35 00 38 00 
31 00 61 00 FF FE FF 20 61 00 62 00 
31 00 63 00 39 00 39 00 34 00 61 00 



.... yby 7 . c . a. 5 . 

c . to . 1 . 3 . 1 . c . c . a , 
a. e . a. 1 .b . c .b . 2 , 
f. 8. c. a. 7. 9. 8. 7. 
f . a. f . 1 . . . s Gyby. 



9.d.8.7.7.4.c.c 



. I . ii. . b . 



yt>y. a- to - a. l.e.d. 
2 .7.7.5.8.4.8. 
a. y]py . a. to . a. 1 . 
d. 5. 2. 7. 7. 5. 8. 
S . 1 . a. yt>y a. to . 
e. I.e. 9. 9.4. a, 



5 
1 

e 

6 



3 



J 



> 



For Help, press Fl Pos: 50H, 80, CO 



DOS 



Mod : 2/25/2007 1:48: 45PM Bytes Sel : 32 



INS A 



Airs 



ne 
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Registry Hack Bypass 



PAM - Stock and Asset Manager 

- Encrypted password stored in registry 

- Overwrite it with 'known' encrypted password 

Pocket Money 

- Delete password key from registry -> removes all protection 
MoneyT racer 

- Disable the password requirement via registry 

- Set password to 'known' encrypted password (passwordl=98,password2=98 -> 1111) 
WebIS Money 

- Delete their 'hidden' key @HKLM/software/microsoft/pim/outlook/lMAP/Folders/Hll 

- The file is not encrypted and can be moved to another location and read 
Stock Manager 4.51 - Manage Stocks 

- 00 registry entry PrefBuf at 0x5B to disable protection 
Passman 1.2 - Credit card/password storage 

- \H KCU\Software\passman\preferences 

• Startpasswdenabled = 1 

• Set Startpasswdenabled = to disable protection 

Password Master 1.0 - Password storage 

- \HKCU\Software\Data\Password Master\Pref\dt 

• Delete dt key to reset 'master' password 
-> Full access to all protected passwords 
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Debugger Bypass 



All the plaintext EXE debuggered programs 

- Password Manager 

- Project Master 

- Password Master 
-WebIS Money 

Code Wallet 
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ff* UltraEdit-32 - [D:\PocketPC\crackine\Attack5\_lnformation disc Ids ure\+ + +codewaLlettM... f^~|| □ 



^1 File Edit Search Project View Format Column Macro Advanced Window Help 

♦ + D & tS 



X 



a * 



lot 
on 



* 



cour 



G1 4My Sample Wallet_222.cw5 My Sample Wallet81 25.cw5 



OOOOOOOOh 
OOOOOOlOh 
00000020h 
00000030h 
00000040h 
OOOOOOSOh 

ooooooeoh 

00000070h 
OOOOOOSOh 
00000090h 
OOOOOOaOh 
OOOOOObOh 



44 65 
6F 64 
OA 68 
6C 6F 
28 35 
IB 03 
05 00 
01 00 



3E F4 



48 51 
17 00 
00 00 



76 65 6C 
65 57 61 
74 74 70 
70 65 72 
2E 30 30 
D9 44 
16 00 
00 00 

I 15 
2D 9F 01 

07 00 24 

00 00 00 



A2 
16 



6F 70 65 
6C 6C 65 
3A 2F 2F 
6F 6E 65 
61 29 00 
CA DC 16 
00 OC 00 



72 20 
74 AE 
77 77 
2E 63 
57 4D 
CA E4 
08 00 



4F 6E 65 
20 46 69 
77 2E 64 
6F 6D OD 
00 00 12 
F9 27 D6 
00 00 13 



AE 2 
6C 65 
65 76 
OA 00 
A2 42 
07 OC 
00 00 



43 
OD 
65 
00 
5D 
00 
00 



6F 5A 9B 08 31 BA 2F AB El 85 A6 F8 



96 73 BF 
98 71 53 
00 00 00 
00 00 00 



EB OE 15 DF 85 87 58 DD 
D5 07 02 00 04 00 18 00 
00 00 00 00 00 00 00 00 
9C C8 AB 6E 00 00 00 00 



Developer One® C 
odeWallet© File. 
. http : / / Tffww . deve 
loperone.com. . . . 
(5.00a) . TJH. . . OB] 
. .UDcEU.Eau 1 6. . . 




5 



,ceE«n. . . . 



|.-st.e. .B... + XY 
HQ-Y. "qSO 









J 



For Help, press Fl Pos: 74H, 116, CO 



iDOS 



iMod: 12/22/2006 10:16:16PM Bytes Sel: 16 



IN: 
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CodeWallet - Alt. Approach 



IDA View-E 



ieneraL registers 



.data 

.dat 

.dat 

.dat 

.dat 

|.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 

.dat 



RO 


eeoeoooo 




R1 


2224DFFC 


R2 


09999999 


R3 


00000000 


R4 


00000003 


U 


R5 


2224E09C 


u 


RG 


000724AC 


u 


R7 


7C0833C0 


u 


R8 


FFFFCSOOjl^ 


R9 


030005EF 


u 


R10 


7C0831D0 


u 


R11 


2224E628 


u 


R12 


00000077 


u 


SP 


2224DEDC 


u 


LR 


00037CC4 


u 


PC 


00037CC4 


u 


PSR 


2000001F 


u 



debug1050:2224DFFC 



debug1050:2224E09C 



.data:000724AC 



debug1264:7C0833C0 



debug1450:FFFFC800 



debug1264:7C0831D0 



debug1050:2224E628 



debug1050:2224DEDC 



sub 37B44+180 



sub 37B*i*i+180 



gy[x 



_ □ x 



mode|i 



T 
F 
Q 
V 
C 

z 

N 



r F3 DCB 

r F4 DCB 

r F5 DCB 

r F6 DCB 

r F7 DCB 

r F8 DCB 

-F9 DCB 

r FA DCB 

r FB DCB 

r FC DCB 

-FD DCB 

r FE DCB 

r FF DCB 

900 DCB 

901 DCB 

902 DCB 

903 DCB 

904 DCB 

905 DCB 

906 DCB 

907 DCB 

908 DCB 

909 DCB 
9GA DCB 
90B DCB 



0xD5 









0x25 

0x6E 

0x6D 

0x56 

0x64 

QxA 

0x30 

0x12 

0x47 

OxE1 

OxC4 

0xD9 

0x72 

4 

GxAC 

0x8A 

0x31 



0x32 





n 
m 
U 
d 



G 




•K 

e 
1 



v 
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CodeWallet - Warez'd Version 



Release Info: - This is not a normal release, appart from the cracks it has a set of xtras. 

All 4 sets of exes are cracked to pre-regged. Copy and njoy. 

On the other hand you should think 2ce b4 using the program. 

See how it says: "Password protection and strong data encryption keeps your information from 

others." above? 

Well, thats bull@#@#@ shit. 

The cracked+unsecured exes have the password check disabled (keep typing ones until the 

number of symbols reaches the number of symbols in your password, then the program would 

auto-login, regardless of whether the password is correct or not. (if its possible to disable 

autologin, then it would just be the matter of typing the right number of symbols (trial and error in 

say 10 tries))) 

I'm appaled to see that the program doesnt encrypt the data, only keeping it in a proprietary 
format, and just memcmps the password derviatives. Companies like this have a duty to keep 
their customers' data secure, its not about how many fat suffixes like Pro or Premium or what not 
the product has at the end. Its whether a cracker can break it in 5 minutes and walk away with all 
your credit card numbers. 

I hope they get a lot of refund claims. 

Furthermore, the developers were pointed out they were bullshitting the customers in v6.11, and 
they still did it in v6.14. What a bunch of pricks. 

FALLEN 

p.s I call on all the ppl who crack pc and ppc security apps to test them for bullshit like this. 
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Poor Software Protection 



This assumes the company is really trying, 
The 'hidden' file approach 

- \Windows\actl034.dll 

-Appears to be default protection method for a 
reported 80+ titles 

Don't post source code for activation key 
algorithm (GoDB) 



Apps. Activation Code 



25-1-2005 Sample code for Activating trial applications. 



Download 
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Poor Software Protection 



PocketlRC- 
IRC client for 
Windows 
Mobile 

- Do not hard 
code key into 
program 

- If you do, try 
not to make it 
'readable' 



STMFD 


SPt, {LR} 




LDR 


RO, =unk 301BB 


; <— GET ENTERED CODE 


MOU 


R2, ttOxlO 


; int 


MOU 


R1 f ttO 


; uchar_t ** 


LDR 


RO, [R0,tt0x88] 




CMP 


RO, ttO 




LDREQ 


RO, =unk_30198 


; uchar_t * 


BL 


wcstoul 




LDR 


R2, =6xBADBABE 




MUN 


R3 f RO 




CMP 


R3, R2 




BEQ 


loc 13DFC 




BL 


sub 13E14 




ANDS 


R3, RO, ttOxFF 




MOU 


R0 f ttO 




BEQ 


loc 13E00 





MOU RO, tt1 



AND RO, RO, ttOxFF 
LDMFD SPt, {PC} 



; CODE NREF: sub_13DBC+2CTj 



; CODE NREF: sub_13DBC+3CTj 



Airscanne 



hmoocon 



I 




9 Console - Cooperative Linux - [To Exit, Press Window+Alt Keys] 



olinuxi'VJtmllguardtt perl bullguard.pl -p 32 25 27 2b 72 78 37 79 

a5suord=AAAAAAA 

o linux : "/ _Jmllguardtt 



VGTiifleStamp=ss : 7 



^ 



For Help, press Fl |l_n 9047, Col. 13, CO 



D05~ 



Mod: 7/4/2005 J 





■ 
















Ffj 


1-Pass 




v\ 

An 
























New Data Value 




Name: 




|NM 




Value: 




0000 
0008 
0010 
0018 
0020 
0028 
0030 
0038 
0040 
0048 
0050 


OD 
OD 
OD 
00 
00 
00 
00 
00 
00 
00 


75 
75 
75 
00 
00 
00 
00 
00 
00 
00 


E2 
E2 
E2 
00 
00 
00 
00 
00 
00 
00 


21 
21 
21 
00 
00 
00 
00 
00 
00 
00 


OD 75 E2 
OD 75 E2 
OD 75 E2 
00 00 00 
00 00 00 
00 00 00 
00 00 00 
00 00 00 
00 00 00 
00 00 00 


21 
21 
21 
00 
00 
00 
00 
00 
00 
00 


. ua ! 
. ua ! 
. ua ! 


.u 
.u 
.u 













































Pocket Internet Explorer 



IE Crash 

- CSS (<=WM 2003) 

- WML (WM5) - Mike Kemp 

DOM Broken (<=WM200c 

- Access local files from IE (< 

Cross Frame Scripting (<= 

- JS read/write from one fran 

IE Local File Accesses Vl 
WM5! 

- Scan for programs installec 

http://airscanner.com/test: 



J 1 http://www.airscanner.com/test -*- ^ 



Scripting Alert 







You are running an 
outdated version of 
Flex Wallet. Please update 
your data files. You will 
now be redirected to 
upgrade site 



Airscanne 



Back 



Menu 



Minimo (Firefox for WM) 



Firefox 1.5 Password Manager Broken 

- RSnake & WhiteAcid @ Sla.ckers.org 

Firefox 2.0 Robert Chapin bugzilla'd it 

-bugzilla. mozilla.org/show_bug. cgi?id=360493 

Patched in 2.0.0.3 ??? No. 
Minimo still not patched... 
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I 



( 



Index of / 



Parent Directory 


Hy Pictures/ 


Templates/ 


Personal/ 
Business/ 
Hy Husic/ 
Hot Spots/ 


ProjectHaster/ 


Password Files/ 


Web IS/ 
ameota. CAB 


sof tresetWHS . f u2 


test . pins 
111111. pms 


2 2 2 2 2 2. pms 


222222tolllllll.pms 


3 3 3 3 3 3. pms 



| HPH Server/BuiidfNov 720061 0:43:55] PocketPC2003fWM2003 UNDER_CE=420 



Find: edit 



Find Next © Find Previous [ Highlight all ] Match case I^j Reached enc 



Done 



Airscann 



© © 



) 



) 
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PDA Mill - Gamebox Classics and Gems 

- Fake highscore 

- Example 

Bounce! Via Spb uploader 

- XSS Type 2 via debugger 

- Example 

elements interactive - Quartz2, Foo Fighter... 

- Fake highscore 

- Example 

Astraware Sudoku 

- XSS Type 2 via URL (detected by memory monitoring) 

- Example 
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MH 













Vendor Sites XSS 



i brief - Spb Software House - Mozilla Firefox 



File Edit View Go Bookmarks Tools Help 



^'^ 



j http: //www. spbsof twarehouse.com/support/subscribe.php7nl 



© Go O 



* http://www. whiteaci. . .g%20to%2ucode.html ** Nieuwsbrief - Spb Software House 




OVER NEEM CONTACT OP PERS 



Dutch 



Software House 

SOFTWARE DEUELOFMENT FOR ft MOBILE WORLD 



III 



POCKET PC 



Technische 
Ondersteuning 

Product 

Opwaarderingsbeleid 
Serienunnnner Herstel 
Algernene Vragen 
Escalatie Procedures 
Beta Prograrnrna 

Nieuwsbrief 

Spb Newsletter 
Product Updates 

Beloningen 

Spb Beloningsprograrnrna 
Spb Productkorting 



m 



5MARTPHQNE 




http://www.spbsoftwdrehouse.com 



f\ Welcome! 

as 



ZAKELIJK 



ONDERSTEUNING 



OK 



Vi u u -^ ■ HC^ 



tr 



Deze pagina is atteen in bet Engets bescbikbaar. 

Your subscription state has been updated 
Your email: asdf 













Cingular Xpressmai 



Mobile Email/Document Access 

Contained several directory traversal bugs 

CSRF Playground 

Movie... 

SEVEN is currently offered worldwide in 64 countries by 
115 leading mobile operators and Internet email service 
providers including Cingular Wireless, Globe Telecom, 
Hutchison, KDDI Corp., NTT DoCoMo, 02, Optus, 
Orange, SingTel, Sprint Nextel, Telefonica Moviles, 
Telenor Group, Telkom Indonesia, Vimpelcom and 
Yahoo!. 
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ActiveSync <=3.8 (Network Sync) 

- Spawn login prompt on PC & capture reply 



■■■■••■ Console - Cooperative Linux - 



co linux : *V_act iuesynctt 
.Great ing socket - - , 
Connecting to server... 
Uriting packetl . . . 
Writing packet 2 ... 
Reading echo packet... 
Password: 1234 
co linux : * v /_act iuesynctt 



[To Exit, Press Window+Alt Keys] 



. /aspun writes ts . 
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WifiTunes - iTunes listener for WM 



- Wifitunes list on all clients? 

- iTunes mDNS Protocol Abuse 

- i-twn-u & itwnes demo 

• Add spoofed shared lists 

• Change valid shared lists 

• Swap valid shared lists 

• Kill/remove shared lists 

• Create dynamic lists 

• SMS via iTunes share lists 
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Remote Keyboard 1.0 - PC keyboard for 
PPC 

- Password stored as plaintext 

- Data passed as plaintext via telnet 'protocol' 

- Opens listener on port 8123 

- Dumps entire clipboard contents to 'client'! 
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• Windows Mobile Developer Power Toys 

- Cecopy.exe - Command line tool for copying 
files to the device currently connected to desktop 
ActiveSync. 

- Rapistart.exe - Command line tool to remotely 
start an application on your Pocket PC from your 
desktop. 

- Rapidebug.exe - Displays detailed information 
about currently running processes. 

-> Own the PC... own the PPC 
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- i Internet Explorer 2? Hx 1^:02 



J 1 file://\program%20files\spb%2Qki ▼ f> 



■■ -L_ 



\ P. —L.w.--'^ .- \ -_-_V J- 1 -- 1 --- r wJAw 



\ 



val 'AdjuiiLMode' d '0' 

• SpbKJOSkEngine val 'CreaLeJille' d '0' 

. . val 'WriLeLoq' d '1' 

- bypass kiosk m< val r Ba L L yry>le L e L . > 

-file:/AwindOWS\Cc val 'UisablaPhyne' 

,., val 'AllowAuLyn.1:' 

-file:/Aprogram fil< v 



d '1' 

d '1' 
d '0' 



al ' Password ' 



S '1111' 



val ' Hit' able rat' kbar 



d '0 



r A r 



J 



• PDA Defense l.( r tLa_ier r 



— Help option via h Vill 'proarajiLrciuun' &■ '\win 



- Autorun -> deleft 



'Explorer 
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Malicious Code Mods 



Very easy for WM code 

- E.g. - Shell_Notifylcon 

- Hide program from Running Programs list 

- Remote or third party process viewer 

Backdoor FTP (ftpsvr.exe) 

- Change port & hide all visible indicators 

Hidden remote control (vRemote or 
pocketcontroler.exe) 

- Hide all visible indicators 
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ULtraEdit-32 - [DitPocketPCfcrackinsUttackslJJthe 



*j File Edit Search Project View Format Column Macro ^ 



4 ■► D b* tf B 
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viruses. db061 222. bak viruses. dbOGI 222 



Shitioocon-Viuus =J ld5a9000 

Cakii]:.A(drs)=886xlf 10123a001019040010e5f79 
Cabiu.D (sis) =9F883401F018A82D2 1F55309A9609 
Cabii: . H (Velasco) =49FF281C694622 1C00F0DEFE0 
Cabir. I=3 0B581B0041C012100F0C8FD6D4 62 01C00 
Cab iu. dropper (sis) =D0B63D5C3FB25E6F9332EE0 
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© aximx50vrequest.cap - Ethereal 



rifnlfxl 



File Edit Vjew Go Capture Analyze Statistics Help 



II 



fe 19 * 



g| «a + *) ^ £ 



^^^EiiiHifflic a 



Filter: 



T Expression... Clear Apply 



No. - Time 



Source 



Destination 



Protocol Info 



192 7. 646732 Hi ghTech_49 : 2b : 27 Broadcast IEEE S Probe Request, SSID: "\b\t\03 5\03 5\021\023\v\017\024\020\v\001\003\03 5\005\032\026\0] 



194 7.643317 Hi ghTech_49 : 2b : 27 Broadcast 

195 7.677699 Hi ghTech_49 : 2b : 27 Broadcast 

196 7.673676 Hi ghTech_49 : 2b : 27 Broadcast 



IEEE 3 Probe Request, ssid: 
IEEE 3 Probe Request, ssid: 
IEEE 8 Probe Request, SSID: 



"\b\t\03 5\03 5\021\023\v\017\024\020\v\001\003\03 5\005\032\026\0 
"\b\t\03 5\03 5\021\023\v\017\024\020\v\001\003\03 5\005\032\026\0; 
M \b\t\03 5\03 5\021\023\v\017\024\020V\001\003\03 5\005\032\026\0; v 



Frame 193 (.64 bytes on wire, 64 bytes captured.) 

IEEE 302.11 

IEEE 302.11 wireless LAN management frame 

B Tagged parameters (40 bytes) 

E SSID parameter set: "\b\t\03 5\03 5\021\02 3\v\017\024\02 0\v\001\003\03 5\00 5\032\02 6\031\026\03 5\024\001\026\f\03 6\r\027\n\02 6\006\006\a" 

Tag Number: (ssid parameter set) 

Tag length: 32 

Tag interpretation: \b\t\03 5\03 5\021\023\v\017\024\020\v\001\003\03 5\00 5\03 2\026\031\02 6\03 5\024\001\02 6\f\036\r\02 7\n\026\006\006\a 
Q supported Rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B) 

Tag Number: 1 (supported Rates) 

Tag length: 4 

Tag interpretation: supported rates: 1.0(B) 2.0(B) 5.5(B) 11.0(B) [Mbit/sec] 



t W WW WW WW 



0010 ff ff ff ff ff ff aO 2a 
0020 0b Of 14 10 0b 01 03 Id 
0030 16 0c le 0d 17 0a 16 06 



II II WW W Z> £. U H Zf £-VJ £- t 

00 20 03 09 Id Id 11 13 

05 la 16 19 16 Id 14 01 

06 07 01 04 32 34 8b 96 



File: "D:\PocketPC\crackJng\Attacks\_RermoteExploit\wireless backjdoor\aximx50vrequest.cap" 50 KB 00:00:31 



P:8: 



0010 ff ff ff ff ff ff 20 00 
0020 02 04 0b 16 



00 



44 65 6c 6c 01 04 



iDell 



Length of tag (wlanjngt, tag. length), 1 byte 
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Remotely Contro 



Handmark Battleship 

- Kill networked games by connecting to port 5001 on players PDA 

Pocket Transfer Anywhere 

- Commands sent unencrypted -> script a client 

- Soft reset, file upload, download, reg view and edit, application kill, 
all process kill, and system information are all options. 

Laplink 

- No authentication or encryption 

- Soft reset, reboot, & kill processes 

PocketController (Vendor fixed... kinda) 

- Prefix had no encryption 

- Soft reset, reboot, & kill processes... hmm familiar? 

- Reality check - What about the client!? 

VNC 4.1.1 PPC Client -» hand held instant VNC access 
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WM 5 Code Signing 



"The primary defense against malicious 
code is to not run it at all on the device. 
Windows Mobile devices implement code 
signing that can be used for this 
purpose."[l] 

Privileged, Unprivileged, Untrusted 

All EXE's and DLL's and CAB's 



[l]http://msdn.microsoftxom/smartclient/default.aspx?pull=/library/en-us/dnppcgen/html/wmsecurity.asp 
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WM 5 Code Signing Bypass 



Buffer Overflows 

- Disable all signing via registry hack 

• Set HKLM\Security\Policies\Policies\0000101a=l 

- Spoof a user (mouseevent) 

Sign your malware 

- Use SDKSamplePrivDeveloper.spc certs 

• signcode /spc SDKSamplePrivDeveloper.spc /v 
SDKSamplePrivDeveloper.pvktarget.exe/cab/dll 

- Still requires user to install your certificate 



Airscanne 



hmoocon 




Local Exploit 1 



FlexWallet 

- Password field in database 

PAM - Stock and Access Manager 

- PAM data file 

Thunderhawk Browser thconfig.txt 

- Long Password -> BO 

Credant Firewall Standalone 

- Configuration file 

- Fixed very fast 
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Local Exploit 2 



Snails weapons configuration file 

- Weapon specifications mod -> BO 

RedSector 2112 saved game 

- Launch of saved game -> BO 

My Little Tank 

- Resume file -> BO 

Links 

- Saved game file 

Arvale 1 and Arvale 2 

- Saved game list (io.ini) 
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WM Smartphone 



FlexWallet 

- Pwd field overflow -> BO in DLL 

SQLite 

- Lightweight SQL database 

- Anyone can read/update/delete data via 
sqlite.exe or sqlitebrowser 

Highly limited in overflow abilities 

- Register changes only 

- Functions limited to those with < 4 parameters 
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Remote BO Exploit 



Remote overflow not probable due to memory 
offset issue 

There just aren't networked services on a PDA 



FTPSvr.exe - Standard FTP server 
vxFTPSvr.exe - Another FTP server 

- http://www.securitvfocus.com/bid/14839 

vxTftpSvr.exe - TFTP server 

- http://www.securityfocus.com/bid/14842 

Tmail - MMS User agent (tmail.exe) 

- http://www.securityfocus.com/bid/19451 
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Remote BO Exploit (Unicode) 



PC overwritten with 00 XX 00 XX -> much 
harder to control. 

100% DoS ... possible remote execution, but 
not probable. 

PicoWebServer - Web server 

-http://www.securityfocus.com/bid/13807 

vxWeb - Another web server 

-http://www.securityfocus.com/bid/14839 
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Visual Studio 2005 

WM6 SDK 

ActiveSync 4.5 

Setup DMA connection and debug with IDA 

No obstacles detected so far 
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Windows Mobile software is risky 

- Can't trust vendors 

- Not always easy to test programs 

- Not many people are looking 

- Code signing is only as good as the software 
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ShmooCon Staff 

Airscanner crew 

Jon Read 

JOhnny 

Collin Mulliner 

San (Xfocus) 

FALLEN 

Ratter 

And many more. 



Airscanne 



hmoocon 



